Author: peter_firmstone Date: Fri Apr 5 11:12:44 2013 New Revision: 1464924
URL: http://svn.apache.org/r1464924 Log: Refactoring of URIGrant to utilise new Uri class instead of UriString. Changes to CombinerSecurityManager to better handle misbehaving policy or PermissionGrant implementations. Re-enable tests recently disabled. Added: river/jtsk/skunk/qa_refactor/trunk/src/org/apache/river/api/security/CodeSourceRequiredPermissions.java Removed: river/jtsk/skunk/qa_refactor/trunk/src/net/jini/loader/pref/CodeSourceWithPermissionsRequired.java Modified: river/jtsk/skunk/qa_refactor/trunk/qa/src/com/sun/jini/test/impl/outrigger/leasing/UseNotifyLeaseTestRenewShutdown.td river/jtsk/skunk/qa_refactor/trunk/qa/src/com/sun/jini/test/impl/outrigger/leasing/UseTxnMgrSpaceLeaseTest.td river/jtsk/skunk/qa_refactor/trunk/qa/src/com/sun/jini/test/impl/outrigger/leasing/UseTxnMgrSpaceLeaseTestCancel.td river/jtsk/skunk/qa_refactor/trunk/qa/src/com/sun/jini/test/impl/outrigger/leasing/UseTxnMgrSpaceLeaseTestRenew.td river/jtsk/skunk/qa_refactor/trunk/qa/src/com/sun/jini/test/impl/outrigger/leasing/UseTxnMgrSpaceLeaseTestRenewCancel.td river/jtsk/skunk/qa_refactor/trunk/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/GetContextTest.td river/jtsk/skunk/qa_refactor/trunk/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/NullCasesTest.td river/jtsk/skunk/qa_refactor/trunk/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/SubPoliciesTest.td river/jtsk/skunk/qa_refactor/trunk/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/UntrustedGetContextClassLoader.td river/jtsk/skunk/qa_refactor/trunk/qa/src/com/sun/jini/test/impl/start/loadersplitpolicyprovider/LoaderSplitPolicyProviderTest.td river/jtsk/skunk/qa_refactor/trunk/qa/src/com/sun/jini/test/spec/javaspace/conformance/ExpirationNotifyTest.td river/jtsk/skunk/qa_refactor/trunk/qa/src/com/sun/jini/test/spec/javaspace/conformance/snapshot/SnapshotExpirationNotifyTest.td river/jtsk/skunk/qa_refactor/trunk/src/org/apache/river/api/net/Uri.java river/jtsk/skunk/qa_refactor/trunk/src/org/apache/river/api/security/CombinerSecurityManager.java river/jtsk/skunk/qa_refactor/trunk/src/org/apache/river/api/security/URIGrant.java Modified: river/jtsk/skunk/qa_refactor/trunk/qa/src/com/sun/jini/test/impl/outrigger/leasing/UseNotifyLeaseTestRenewShutdown.td URL: http://svn.apache.org/viewvc/river/jtsk/skunk/qa_refactor/trunk/qa/src/com/sun/jini/test/impl/outrigger/leasing/UseNotifyLeaseTestRenewShutdown.td?rev=1464924&r1=1464923&r2=1464924&view=diff ============================================================================== --- river/jtsk/skunk/qa_refactor/trunk/qa/src/com/sun/jini/test/impl/outrigger/leasing/UseNotifyLeaseTestRenewShutdown.td (original) +++ river/jtsk/skunk/qa_refactor/trunk/qa/src/com/sun/jini/test/impl/outrigger/leasing/UseNotifyLeaseTestRenewShutdown.td Fri Apr 5 11:12:44 2013 @@ -1,5 +1,5 @@ #Test fails randomly, temporarily suspended pending release 2.3.0 -com.sun.jini.qa.harness.verifier=com.sun.jini.qa.harness.SkipTestVerifier +#com.sun.jini.qa.harness.verifier=com.sun.jini.qa.harness.SkipTestVerifier testClass=UseNotifyLeaseTest testCategories=javaspace,javaspace_impl,javaspace_impl_leasing include0=../outrigger.properties Modified: river/jtsk/skunk/qa_refactor/trunk/qa/src/com/sun/jini/test/impl/outrigger/leasing/UseTxnMgrSpaceLeaseTest.td URL: http://svn.apache.org/viewvc/river/jtsk/skunk/qa_refactor/trunk/qa/src/com/sun/jini/test/impl/outrigger/leasing/UseTxnMgrSpaceLeaseTest.td?rev=1464924&r1=1464923&r2=1464924&view=diff ============================================================================== --- river/jtsk/skunk/qa_refactor/trunk/qa/src/com/sun/jini/test/impl/outrigger/leasing/UseTxnMgrSpaceLeaseTest.td (original) +++ river/jtsk/skunk/qa_refactor/trunk/qa/src/com/sun/jini/test/impl/outrigger/leasing/UseTxnMgrSpaceLeaseTest.td Fri Apr 5 11:12:44 2013 @@ -1,5 +1,5 @@ #Test fails randomly, temporarily suspended pending release 2.3.0 -com.sun.jini.qa.harness.verifier=com.sun.jini.qa.harness.SkipTestVerifier +#com.sun.jini.qa.harness.verifier=com.sun.jini.qa.harness.SkipTestVerifier testClass=UseTxnMgrSpaceLeaseTest testCategories=javaspace,javaspace_impl,javaspace_impl_leasing include0=../outrigger.properties Modified: river/jtsk/skunk/qa_refactor/trunk/qa/src/com/sun/jini/test/impl/outrigger/leasing/UseTxnMgrSpaceLeaseTestCancel.td URL: http://svn.apache.org/viewvc/river/jtsk/skunk/qa_refactor/trunk/qa/src/com/sun/jini/test/impl/outrigger/leasing/UseTxnMgrSpaceLeaseTestCancel.td?rev=1464924&r1=1464923&r2=1464924&view=diff ============================================================================== --- river/jtsk/skunk/qa_refactor/trunk/qa/src/com/sun/jini/test/impl/outrigger/leasing/UseTxnMgrSpaceLeaseTestCancel.td (original) +++ river/jtsk/skunk/qa_refactor/trunk/qa/src/com/sun/jini/test/impl/outrigger/leasing/UseTxnMgrSpaceLeaseTestCancel.td Fri Apr 5 11:12:44 2013 @@ -1,5 +1,5 @@ #Test fails randomly, temporarily suspended pending release 2.3.0 -com.sun.jini.qa.harness.verifier=com.sun.jini.qa.harness.SkipTestVerifier +#com.sun.jini.qa.harness.verifier=com.sun.jini.qa.harness.SkipTestVerifier testClass=UseTxnMgrSpaceLeaseTest testCategories=javaspace,javaspace_impl,javaspace_impl_leasing include0=../outrigger.properties Modified: river/jtsk/skunk/qa_refactor/trunk/qa/src/com/sun/jini/test/impl/outrigger/leasing/UseTxnMgrSpaceLeaseTestRenew.td URL: http://svn.apache.org/viewvc/river/jtsk/skunk/qa_refactor/trunk/qa/src/com/sun/jini/test/impl/outrigger/leasing/UseTxnMgrSpaceLeaseTestRenew.td?rev=1464924&r1=1464923&r2=1464924&view=diff ============================================================================== --- river/jtsk/skunk/qa_refactor/trunk/qa/src/com/sun/jini/test/impl/outrigger/leasing/UseTxnMgrSpaceLeaseTestRenew.td (original) +++ river/jtsk/skunk/qa_refactor/trunk/qa/src/com/sun/jini/test/impl/outrigger/leasing/UseTxnMgrSpaceLeaseTestRenew.td Fri Apr 5 11:12:44 2013 @@ -1,5 +1,5 @@ #Test fails randomly, temporarily suspended pending release 2.3.0 -com.sun.jini.qa.harness.verifier=com.sun.jini.qa.harness.SkipTestVerifier +#com.sun.jini.qa.harness.verifier=com.sun.jini.qa.harness.SkipTestVerifier testClass=UseTxnMgrSpaceLeaseTest testCategories=javaspace,javaspace_impl,javaspace_impl_leasing include0=../outrigger.properties Modified: river/jtsk/skunk/qa_refactor/trunk/qa/src/com/sun/jini/test/impl/outrigger/leasing/UseTxnMgrSpaceLeaseTestRenewCancel.td URL: http://svn.apache.org/viewvc/river/jtsk/skunk/qa_refactor/trunk/qa/src/com/sun/jini/test/impl/outrigger/leasing/UseTxnMgrSpaceLeaseTestRenewCancel.td?rev=1464924&r1=1464923&r2=1464924&view=diff ============================================================================== --- river/jtsk/skunk/qa_refactor/trunk/qa/src/com/sun/jini/test/impl/outrigger/leasing/UseTxnMgrSpaceLeaseTestRenewCancel.td (original) +++ river/jtsk/skunk/qa_refactor/trunk/qa/src/com/sun/jini/test/impl/outrigger/leasing/UseTxnMgrSpaceLeaseTestRenewCancel.td Fri Apr 5 11:12:44 2013 @@ -1,5 +1,5 @@ #Test fails randomly, temporarily suspended pending release 2.3.0 -com.sun.jini.qa.harness.verifier=com.sun.jini.qa.harness.SkipTestVerifier +#com.sun.jini.qa.harness.verifier=com.sun.jini.qa.harness.SkipTestVerifier testClass=UseTxnMgrSpaceLeaseTest testCategories=javaspace,javaspace_impl,javaspace_impl_leasing include0=../outrigger.properties Modified: river/jtsk/skunk/qa_refactor/trunk/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/GetContextTest.td URL: http://svn.apache.org/viewvc/river/jtsk/skunk/qa_refactor/trunk/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/GetContextTest.td?rev=1464924&r1=1464923&r2=1464924&view=diff ============================================================================== --- river/jtsk/skunk/qa_refactor/trunk/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/GetContextTest.td (original) +++ river/jtsk/skunk/qa_refactor/trunk/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/GetContextTest.td Fri Apr 5 11:12:44 2013 @@ -1,5 +1,5 @@ testClass=GetContextTest -testCategories=start,start_impl +testCategories=start,start_impl,policyprovider #testClasspath=<harnessJar>$:${com.sun.jini.qa.home}$/lib$/qa1-start-tests.jar$:${com.sun.jini.qa.home}$/lib$/$qajinidep$:${com.sun.jini.jsk.home}$/lib$/jsk-platform.jar testClasspath=${altClasspath}$:${com.sun.jini.qa.home}/lib/qa1-start-tests.jar Modified: river/jtsk/skunk/qa_refactor/trunk/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/NullCasesTest.td URL: http://svn.apache.org/viewvc/river/jtsk/skunk/qa_refactor/trunk/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/NullCasesTest.td?rev=1464924&r1=1464923&r2=1464924&view=diff ============================================================================== --- river/jtsk/skunk/qa_refactor/trunk/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/NullCasesTest.td (original) +++ river/jtsk/skunk/qa_refactor/trunk/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/NullCasesTest.td Fri Apr 5 11:12:44 2013 @@ -1,3 +1,3 @@ testClass=NullCasesTest -testCategories=start,start_impl +testCategories=start,start_impl,policyprovider include0=../start.properties Modified: river/jtsk/skunk/qa_refactor/trunk/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/SubPoliciesTest.td URL: http://svn.apache.org/viewvc/river/jtsk/skunk/qa_refactor/trunk/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/SubPoliciesTest.td?rev=1464924&r1=1464923&r2=1464924&view=diff ============================================================================== --- river/jtsk/skunk/qa_refactor/trunk/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/SubPoliciesTest.td (original) +++ river/jtsk/skunk/qa_refactor/trunk/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/SubPoliciesTest.td Fri Apr 5 11:12:44 2013 @@ -1,5 +1,5 @@ testClass=SubPoliciesTest -testCategories=start,start_impl +testCategories=start,start_impl,policyprovider #testClasspath=${com.sun.jini.qa.home}$/lib$/harness.jar$:${com.sun.jini.qa.home}$/lib$/qa1-start-tests.jar$:${com.sun.jini.qa.home}$/lib$/$qajinidep$:${com.sun.jini.jsk.home}$/lib$/jsk-platform.jar testClasspath=${altClasspath}$:<file:lib/qa1-start-tests.jar> Modified: river/jtsk/skunk/qa_refactor/trunk/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/UntrustedGetContextClassLoader.td URL: http://svn.apache.org/viewvc/river/jtsk/skunk/qa_refactor/trunk/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/UntrustedGetContextClassLoader.td?rev=1464924&r1=1464923&r2=1464924&view=diff ============================================================================== --- river/jtsk/skunk/qa_refactor/trunk/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/UntrustedGetContextClassLoader.td (original) +++ river/jtsk/skunk/qa_refactor/trunk/qa/src/com/sun/jini/test/impl/start/aggregatepolicyprovider/UntrustedGetContextClassLoader.td Fri Apr 5 11:12:44 2013 @@ -1,3 +1,3 @@ testClass=UntrustedGetContextClassLoader -testCategories=start,start_impl +testCategories=start,start_impl,policyprovider include0=../start.properties Modified: river/jtsk/skunk/qa_refactor/trunk/qa/src/com/sun/jini/test/impl/start/loadersplitpolicyprovider/LoaderSplitPolicyProviderTest.td URL: http://svn.apache.org/viewvc/river/jtsk/skunk/qa_refactor/trunk/qa/src/com/sun/jini/test/impl/start/loadersplitpolicyprovider/LoaderSplitPolicyProviderTest.td?rev=1464924&r1=1464923&r2=1464924&view=diff ============================================================================== --- river/jtsk/skunk/qa_refactor/trunk/qa/src/com/sun/jini/test/impl/start/loadersplitpolicyprovider/LoaderSplitPolicyProviderTest.td (original) +++ river/jtsk/skunk/qa_refactor/trunk/qa/src/com/sun/jini/test/impl/start/loadersplitpolicyprovider/LoaderSplitPolicyProviderTest.td Fri Apr 5 11:12:44 2013 @@ -1,5 +1,5 @@ testClass=LoaderSplitPolicyProviderTest -testCategories=start,start_impl +testCategories=start,start_impl,policyprovider testClasspath=${altClasspath}$:<file:lib/qa1-start-tests.jar> testPolicyfile=<url:harness/policy/defaulttest.policy> ldrPolicyfile=<url:LoaderSplitPolicyProviderTest.loader.policy> Modified: river/jtsk/skunk/qa_refactor/trunk/qa/src/com/sun/jini/test/spec/javaspace/conformance/ExpirationNotifyTest.td URL: http://svn.apache.org/viewvc/river/jtsk/skunk/qa_refactor/trunk/qa/src/com/sun/jini/test/spec/javaspace/conformance/ExpirationNotifyTest.td?rev=1464924&r1=1464923&r2=1464924&view=diff ============================================================================== --- river/jtsk/skunk/qa_refactor/trunk/qa/src/com/sun/jini/test/spec/javaspace/conformance/ExpirationNotifyTest.td (original) +++ river/jtsk/skunk/qa_refactor/trunk/qa/src/com/sun/jini/test/spec/javaspace/conformance/ExpirationNotifyTest.td Fri Apr 5 11:12:44 2013 @@ -1,5 +1,5 @@ #Test fails randomly, temporarily suspended pending release 2.3.0 -com.sun.jini.qa.harness.verifier=com.sun.jini.qa.harness.SkipTestVerifier +#com.sun.jini.qa.harness.verifier=com.sun.jini.qa.harness.SkipTestVerifier testClass=ExpirationNotifyTest testCategories=javaspace,javaspace_spec,javaspace_conformance include0=javaspace.properties Modified: river/jtsk/skunk/qa_refactor/trunk/qa/src/com/sun/jini/test/spec/javaspace/conformance/snapshot/SnapshotExpirationNotifyTest.td URL: http://svn.apache.org/viewvc/river/jtsk/skunk/qa_refactor/trunk/qa/src/com/sun/jini/test/spec/javaspace/conformance/snapshot/SnapshotExpirationNotifyTest.td?rev=1464924&r1=1464923&r2=1464924&view=diff ============================================================================== --- river/jtsk/skunk/qa_refactor/trunk/qa/src/com/sun/jini/test/spec/javaspace/conformance/snapshot/SnapshotExpirationNotifyTest.td (original) +++ river/jtsk/skunk/qa_refactor/trunk/qa/src/com/sun/jini/test/spec/javaspace/conformance/snapshot/SnapshotExpirationNotifyTest.td Fri Apr 5 11:12:44 2013 @@ -1,5 +1,5 @@ #Test fails randomly, temporarily suspended pending release 2.3.0 -com.sun.jini.qa.harness.verifier=com.sun.jini.qa.harness.SkipTestVerifier +#com.sun.jini.qa.harness.verifier=com.sun.jini.qa.harness.SkipTestVerifier testClass=SnapshotExpirationNotifyTest testCategories=javaspace,javaspace_spec,javaspace_conformance,snapshot include0=../javaspace.properties Modified: river/jtsk/skunk/qa_refactor/trunk/src/org/apache/river/api/net/Uri.java URL: http://svn.apache.org/viewvc/river/jtsk/skunk/qa_refactor/trunk/src/org/apache/river/api/net/Uri.java?rev=1464924&r1=1464923&r2=1464924&view=diff ============================================================================== --- river/jtsk/skunk/qa_refactor/trunk/src/org/apache/river/api/net/Uri.java (original) +++ river/jtsk/skunk/qa_refactor/trunk/src/org/apache/river/api/net/Uri.java Fri Apr 5 11:12:44 2013 @@ -250,7 +250,7 @@ public final class Uri implements Compar } public static Uri urlToUri(URL url) throws URISyntaxException{ - return Uri.parseAndCreate(url.toString()); + return Uri.parseAndCreate(fixWindowsURI(url.toString())); } public static File uriToFile(Uri uri){ @@ -262,7 +262,8 @@ public final class Uri implements Compar if (File.separatorChar == '\\') { path = path.replace(File.separatorChar, '/'); } - return new Uri("file", null, path, null, null); //$NON-NLS-1$ + path = fixWindowsURI("file:" + path); + return Uri.escapeAndCreate(path); //$NON-NLS-1$ } public static Uri filePathToUri(String path) throws URISyntaxException{ @@ -284,7 +285,8 @@ public final class Uri implements Compar if (File.separatorChar == '\\') { path = path.replace(File.separatorChar, '/'); } - return new Uri("file", null, path, null, null); //$NON-NLS-1$ + path = fixWindowsURI("file:" + path); + return Uri.escapeAndCreate(path); //$NON-NLS-1$ } /* Begin Object Implementation */ @@ -935,6 +937,7 @@ public final class Uri implements Compar if (!(o instanceof Uri)) { return false; } + if (hash != o.hashCode()) return false; Uri uri = (Uri) o; if (uri.fragment == null && fragment != null || uri.fragment != null @@ -1016,6 +1019,269 @@ public final class Uri implements Compar return false; } } + + /** + * Indicates whether the specified Uri is implied by this {@link + * Uri}. Returns {@code true} if all of the following conditions are + * {@code true}, otherwise {@code false}: + * <p> + * <ul> + * <li>this scheme is not {@code null} + * <li>this scheme is equal to {@code implied}'s scheme. + * <li>if this host is not {@code null}, the + * following conditions are checked + * <ul> + * <li>{@code cs}'s host is not {@code null} + * <li>the wildcard or partial wildcard of this {@code Uri}'s + * host matches {@code implied}'s host. + * </ul> + * <li>if this {@code Uri}'s port != -1 the port of {@code + * implied}'s location is equal to this {@code Uri}'s port + * <li>this {@code Uri}'s path matches {@code implied}'s path + * whereas special wildcard matching applies as described below. + * </ul> + * Matching rules for path: + * <ul> + * <li>if this {@code Uri}'s path ends with {@code "/-"}, + * then {@code implied}'s path must start with {@code Uri}'s path + * (exclusive the trailing '-') + * <li>if this {@code Uri}'s path ends with {@code "/*"}, + * then {@code implied}'s path must start with {@code Uri}'s path + * (exclusive the trailing '*') and must not have any further '/' + * <li>if this {@code Uri}'s path ends with {@code "/"}, + * then {@code implied}'s path must start with {@code Uri}'s path + * <li>if this {@code Uri}'s path does not end with {@code + * "/"}, then {@code implied}'s path must start with {@code Uri}'s + * path with the '/' appended to it. + * </ul> + * Examples for Uri that imply the Uri + * "http://harmony.apache.org/milestones/M9/apache-harmony.jar": + * + * <pre> + * http: + * http://*/milestones/M9/* + * http://*.apache.org/milestones/M9/* + * http://harmony.apache.org/milestones/- + * http://harmony.apache.org/milestones/M9/apache-harmony.jar + * </pre> + * + * @param implied + * the Uri to check. + * @return {@code true} if the argument is implied by this + * {@code Uri}, otherwise {@code false}. + */ + public boolean implies(Uri implied) { // package private for junit + //.This section of code was copied from Apache Harmony's CodeSource + // SVN Revision 929252 + // + // Here, javadoc:N refers to the appropriate item in the API spec for + // the CodeSource.implies() + // The info was taken from the 1.5 final API spec + + // javadoc:1 +// if (cs == null) { +// return false; +// } + + /* Certificates can safely be ignored, they're checked by CertificateGrant */ + + // javadoc:2 + // with a comment: the javadoc says only about certificates and does + // not explicitly mention CodeSigners' certs. + // It seems more convenient to use getCerts() to get the real + // certificates - with a certificates got form the signers +// Certificate[] thizCerts = getCertificatesNoClone(); +// if (thizCerts != null) { +// Certificate[] thatCerts = cs.getCertificatesNoClone(); +// if (thatCerts == null +// || !PolicyUtils.matchSubset(thizCerts, thatCerts)) { +// return false; +// } +// } + + // javadoc:3 + + + //javadoc:3.1 +// URL otherURL = cs.getLocation(); +// if ( otherURL == null) { +// return false; +// } +// URI otherURI; +// try { +// otherURI = otherURL.toURI(); +// } catch (URISyntaxException ex) { +// return false; +// } + //javadoc:3.2 + if (hash == implied.hash){ + if (this.equals(implied)) { + return true; + } + } + //javadoc:3.3 + if ( scheme != null){ + if (!scheme.equalsIgnoreCase(implied.scheme)) { + return false; + } + } + //javadoc:3.4 + if (host != null) { + if (implied.host == null) { + return false; + } + + // 1. According to the spec, an empty string will be considered + // as "localhost" in the SocketPermission + // 2. 'file://' URLs will have an empty getHost() + // so, let's make a special processing of localhost-s, I do + // believe this'll improve performance of file:// code sources + + // + // Don't have to evaluate both the boolean-s each time. + // It's better to evaluate them directly under if() statement. + // + // boolean thisIsLocalHost = thisHost.length() == 0 || "localhost".equals(thisHost); + // boolean thatIsLocalHost = thatHost.length() == 0 || "localhost".equals(thatHost); + // + // if( !(thisIsLocalHost && thatIsLocalHost) && + // !thisHost.equals(thatHost)) { + + if (!((host.length() == 0 || "localhost".equals(host)) && (implied.host //$NON-NLS-1$ + .length() == 0 || "localhost".equals(implied.host))) //$NON-NLS-1$ + && !host.equals(implied.host)) { + + // Do wildcard matching here to replace SocketPermission functionality. + // This section was copied from Apache Harmony SocketPermission + boolean hostNameMatches = false; + boolean isPartialWild = (host.charAt(0) == '*'); + if (isPartialWild) { + boolean isWild = (host.length() == 1); + if (isWild) { + hostNameMatches = true; + } else { + // Check if thisHost matches the end of thatHost after the wildcard + int length = host.length() - 1; + hostNameMatches = implied.host.regionMatches(implied.host.length() - length, + host, 1, length); + } + } + if (!hostNameMatches) return false; // else continue. + + /* Don't want to try resolving URIGrant, it either has a + * matching host or it doesn't. + * + * The following section is for resolving hosts, it is + * not relevant here, but has been preserved for information + * purposes only. + * + * Not only is it expensive to perform DNS resolution, hence + * the creation of URIGrant, but a CodeSource.implies + * may also require another SocketPermission which may + * cause the policy to get stuck in an endless loop, since it + * doesn't perform the implies in priviledged mode, it might + * also allow an attacker to substitute one codebase for + * another using a dns cache poisioning attack. In any case + * the DNS cannot be assumed trustworthy enough to supply + * the policy with information at this level. The implications + * are greater than the threat posed by SocketPermission + * which simply allows a network connection, as this may + * apply to any Permission, even AllPermission. + * + * Typically the URI of the codebase will be a match for + * the codebase annotation string that is stored as a URL + * in CodeSource, then converted to a URI for comparison. + */ + + // Obvious, but very slow way.... + // + // SocketPermission thisPerm = new SocketPermission( + // this.location.getHost(), "resolve"); + // SocketPermission thatPerm = new SocketPermission( + // cs.location.getHost(), "resolve"); + // if (!thisPerm.implies(thatPerm)) { + // return false; + // } + // + // let's cache it: + +// if (this.sp == null) { +// this.sp = new SocketPermission(thisHost, "resolve"); //$NON-NLS-1$ +// } +// +// if (cs.sp == null) { +// cs.sp = new SocketPermission(thatHost, "resolve"); //$NON-NLS-1$ +// } +// +// if (!this.sp.implies(cs.sp)) { +// return false; +// } + + } // if( ! this.location.getHost().equals(cs.location.getHost()) + } // if (this.location.getHost() != null) + + //javadoc:3.5 + if (port != -1) { + if (port != implied.port) { + return false; + } + } + + //javadoc:3.6 + // compatbility with URL.getFile + String thisFile; + String thatFile; + if (fileSchemeCaseInsensitiveOS){ + thisFile = path == null ? null: path.toUpperCase(Locale.ENGLISH); + thatFile = implied.path == null ? null: implied.path.toUpperCase(Locale.ENGLISH); + } else { + thisFile = path; + thatFile = implied.path; + } + if (thatFile == null || thisFile == null) return false; + if (thisFile.endsWith("/-")) { //javadoc:3.6."/-" //$NON-NLS-1$ + if (!thatFile.startsWith(thisFile.substring(0, thisFile + .length() - 2))) { + return false; + } + } else if (thisFile.endsWith("/*")) { //javadoc:3.6."/*" //$NON-NLS-1$ + if (!thatFile.startsWith(thisFile.substring(0, thisFile + .length() - 2))) { + return false; + } + // no further separators(s) allowed + if (thatFile.indexOf("/", thisFile.length() - 1) != -1) { //$NON-NLS-1$ + return false; + } + } else { + // javadoc:3.6."/" + if (!thisFile.equals(thatFile)) { + if (!thisFile.endsWith("/")) { //$NON-NLS-1$ + if (!thatFile.equals(thisFile + "/")) { //$NON-NLS-1$ + return false; + } + } else { + return false; + } + } + } + + // Fragment and path are ignored. + //javadoc:3.7 + // A URL Anchor is a URI Fragment. +// if (thiss.getFragment() != null) { +// if (!thiss.getFragment().equals(implied.getFragment())) { +// return false; +// } +// } + // ok, every check was made, and they all were successful. + // it's ok to return true. + + + // javadoc: a note about CodeSource with null location and null Certs + // is applicable here + return true; + } /** * Gets the decoded authority part of this URI. Added: river/jtsk/skunk/qa_refactor/trunk/src/org/apache/river/api/security/CodeSourceRequiredPermissions.java URL: http://svn.apache.org/viewvc/river/jtsk/skunk/qa_refactor/trunk/src/org/apache/river/api/security/CodeSourceRequiredPermissions.java?rev=1464924&view=auto ============================================================================== --- river/jtsk/skunk/qa_refactor/trunk/src/org/apache/river/api/security/CodeSourceRequiredPermissions.java (added) +++ river/jtsk/skunk/qa_refactor/trunk/src/org/apache/river/api/security/CodeSourceRequiredPermissions.java Fri Apr 5 11:12:44 2013 @@ -0,0 +1,26 @@ + +package org.apache.river.api.security; + +import java.security.Permission; +import org.apache.river.api.common.Beta; + +/** + * Jar files that specify a META-INF/permissions.perm file as per the OSGi + * syntax, allow a ProxyVerifier to grant these permissions dynamically. + * + * @author peter + */ +@Beta +public interface CodeSourceRequiredPermissions { + /* TODO: Override and create our own CodeSource + * implementation that contains permissions.perm + * After we retrieve the manifest, class bytes and + * certificates, create the CodeSource we call + * defineClass(String name, byte[]b, int off, int len, CodeSource cs) + * + * This will be utilised by a class that overrides + * BasicProxyPreparer.getPermissions() + * to retrieve the advisory permissions. + */ + public Permission [] getPermissions(); +} Modified: river/jtsk/skunk/qa_refactor/trunk/src/org/apache/river/api/security/CombinerSecurityManager.java URL: http://svn.apache.org/viewvc/river/jtsk/skunk/qa_refactor/trunk/src/org/apache/river/api/security/CombinerSecurityManager.java?rev=1464924&r1=1464923&r2=1464924&view=diff ============================================================================== --- river/jtsk/skunk/qa_refactor/trunk/src/org/apache/river/api/security/CombinerSecurityManager.java (original) +++ river/jtsk/skunk/qa_refactor/trunk/src/org/apache/river/api/security/CombinerSecurityManager.java Fri Apr 5 11:12:44 2013 @@ -451,7 +451,7 @@ extends SecurityManager implements Cachi } try { // We can change either call to add a timeout. - latch.await(); // Throws InterruptedException + if (!latch.await(180L, TimeUnit.SECONDS)) return false; // Throws InterruptedException it = resultList.iterator(); try { while (it.hasNext()){ @@ -521,26 +521,31 @@ extends SecurityManager implements Cachi } public Boolean call() throws Exception { - // Required for AggregatePolicyProvider. - Boolean result = AccessController.doPrivileged( - securityContext != null ? - securityContext.wrap( - new PrivilegedAction<Boolean>(){ - public Boolean run() { - boolean result = checkPermission(pd, p); - return Boolean.valueOf(result); + try { + // Required for AggregatePolicyProvider. + Boolean result = AccessController.doPrivileged( + securityContext != null ? + securityContext.wrap( + new PrivilegedAction<Boolean>(){ + public Boolean run() { + boolean result = checkPermission(pd, p); + return Boolean.valueOf(result); + } } + ) + :new PrivilegedAction<Boolean>(){ + public Boolean run() { + boolean result = checkPermission(pd, p); + return Boolean.valueOf(result); } - ) - :new PrivilegedAction<Boolean>(){ - public Boolean run() { - boolean result = checkPermission(pd, p); - return Boolean.valueOf(result); - } - } - ); - latch.countDown(); - return result; + } + ); + return result; + } finally { + // In case we exit with a runtime exception, ensure threads + // aren't left waiting. + latch.countDown(); + } } } Modified: river/jtsk/skunk/qa_refactor/trunk/src/org/apache/river/api/security/URIGrant.java URL: http://svn.apache.org/viewvc/river/jtsk/skunk/qa_refactor/trunk/src/org/apache/river/api/security/URIGrant.java?rev=1464924&r1=1464923&r2=1464924&view=diff ============================================================================== --- river/jtsk/skunk/qa_refactor/trunk/src/org/apache/river/api/security/URIGrant.java (original) +++ river/jtsk/skunk/qa_refactor/trunk/src/org/apache/river/api/security/URIGrant.java Fri Apr 5 11:12:44 2013 @@ -142,7 +142,7 @@ class URIGrant extends CertificateGrant return false; } for (int i = 0; i<l ; i++){ - if (implies(uris[i], implied)) return true; + if (uris[i].implies(implied)) return true; } return false; }
